Skip to main content

Apache CVE-2026-34478

| EUVDEUVD-2026-21408 MEDIUM
Incorrect Provision of Specified Functionality (CWE-684)
2026-04-10 apache GHSA-445c-vh5m-36rj
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21408
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
Patch released
Apr 10, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 10, 2026 - 15:40 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 238 maven packages depend on org.apache.logging.log4j:log4j-core (107 direct, 131 indirect)

Ecosystem-wide dependent count for version 2.21.0.

DescriptionCVE.org

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.

Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

  • The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
  • The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

AnalysisAI

Apache Log4j Core 2.21.0 through 2.25.3 allows remote log injection via CRLF sequences in Rfc5424Layout due to undocumented renaming of security-relevant configuration attributes (newLineEscape and useTlsMessageFormat). Attackers can inject malicious log entries or downgrade TLS-framed syslog to unframed TCP, compromising log integrity for stream-based syslog services. SyslogAppender users are not affected. CVSS 6.9 indicates medium-to-high severity; EPSS and exploitation signals not available at time of analysis.

Technical ContextAI

Apache Log4j Core's Rfc5424Layout implements RFC 5424 (syslog message format) with support for RFC 6587 (TCP framing) and RFC 5425 (TLS framing) via configuration attributes. The vulnerability stems from CWE-684 (Incorrect Provision of Specified Functionality), specifically the silent renaming of two critical attributes: newLineEscape (controls CRLF escaping for TCP-framed syslog per RFC 6587) and useTlsMessageFormat (controls whether TLS framing per RFC 5425 is applied). When these attributes are renamed without deprecation warnings or documentation updates, users upgrading to Log4j Core 2.21.0+ inadvertently lose newline escaping protection and TLS framing enforcement, reverting to unframed TCP transmission. This allows attackers to inject CRLF sequences into log output, potentially forging syslog messages or causing log injection attacks against downstream syslog aggregation systems. The SyslogAppender wrapper is unaffected because its configuration layer was not modified. CPE cpe:2.3:a:apache_software_foundation:apache_log4j_core:*:*:*:*:*:*:*:* indicates all versions are technically in scope of the CPE, but the vulnerability is specific to versions 2.21.0-2.25.3.

RemediationAI

Vendor-released patch: Apache Log4j Core 2.25.4. Users should upgrade to Log4j Core 2.25.4 or later, which restores the original newLineEscape and useTlsMessageFormat attribute names and behavior. For users unable to upgrade immediately, review Rfc5424Layout configuration in log4j2.xml or equivalent configuration files and verify that newLineEscape and useTlsMessageFormat attributes are present and correctly set according to RFC 5424/5425/6587 requirements; if these attributes are missing or renamed in recent upgrades, manually restore them or revert to SyslogAppender (which is unaffected). Detailed remediation guidance is available at https://logging.apache.org/security.html#CVE-2026-34478. The upstream fix (GitHub PR #4074 at https://github.com/apache/logging-log4j2/pull/4074) addresses the attribute naming issue.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-34478 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy